DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 4ABJUDNP3895826 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 4ABJUDNP3895826 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=sMX5GnjY X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D50653858C66 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1731353411; bh=VfTWTVqqNDAy218RdT5wxBe+qfLLCZaBZip7m10DWUQ=; h=Date:To:Subject:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=sMX5GnjYVuFZ6hEoPx6AvVvNnPlxZvxvkRzrXS0yYkXLXENvmhJaiqxZSCk1SBmx5 uuJ/aCIfySdwcx2E1G8XomLErA6mY4o79XPDO2shYfyAV1UKr5UYCNGgpNz4DDINar udEzRxofdeCIDlp8rPBR9iwdSTb0KAD1BApZKAG0= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org AE8063858D28 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org AE8063858D28 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1731353385; cv=none; b=ZRj2d1HoPaMyA4obTUHZwyt8UtNyISwOg+vqHzrr6ynbZU4NZbX8OE9TFczRkecKt/ZKdkiZw0qbhAKv5cHXRSclYajqUa/iGyfT59EkTGuyBiT8pEEacEgaT/nirQQL+4jqOPZT4LWttAe7vzhD3daazct7B21FNrEivpt4gEQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1731353385; c=relaxed/simple; bh=frcUliy05MDVJhywt4/YH/pjbjRX9SmU+7KuwFbglWY=; h=Date:From:To:Subject:Message-Id:Mime-Version:DKIM-Signature; b=dZUSCCtTOG3v7V1MD7Cfg1ShIu/k2q46PEht1PFQ91VfndkWBVhq94LSCZhrJxIu0A9DFiBWMeTcmVLZnKcoRoDWltDSwH+xJpNjB3XFLJmr30fr0EQARcWElEIaaa5itQqtcJkwnKPeGPNZEEeufX8D1rb36SkboH7GrdfOJp0= ARC-Authentication-Results: i=1; server2.sourceware.org Date: Tue, 12 Nov 2024 04:29:37 +0900 To: cygwin AT cygwin DOT com Subject: Re: SMBFS mount's file cannot be made executable Message-Id: <20241112042937.740185a42d476993b4b1e31c@nifty.ne.jp> In-Reply-To: References: <20241108205109 DOT 55f99e2d172b9fc87e92ae67 AT nifty DOT ne DOT jp> <20241111193152 DOT c3a81044a03ecf2093185166 AT nifty DOT ne DOT jp> <20241111201928 DOT 811a2f8f09142b7aa8fe9bdc AT nifty DOT ne DOT jp> <20241111203202 DOT b22bcf4f9030aff58299fe0e AT nifty DOT ne DOT jp> <20241111204051 DOT 493f12208bb59d62b699dd28 AT nifty DOT ne DOT jp> <20241111211953 DOT 605b186566ce3a44ca929788 AT nifty DOT ne DOT jp> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.30; i686-pc-mingw32) Mime-Version: 1.0 X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Takashi Yano via Cygwin Reply-To: Takashi Yano Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" On Mon, 11 Nov 2024 14:35:55 +0100 Corinna Vinschen wrote: > On Nov 11 21:19, Takashi Yano via Cygwin wrote: > > On Mon, 11 Nov 2024 13:03:18 +0100 > > Corinna Vinschen wrote: > > > On Nov 11 20:40, Takashi Yano via Cygwin wrote: > > > > On Mon, 11 Nov 2024 20:32:02 +0900 > > > > Takashi Yano via Cygwin wrote: > > > > > Even with this patch, the file: > > > > > > > > > > yano $ touch samba_test_file.txt > > > > > yano $ ls -l samba_test_files.txt > > > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt > > > > > > > > Oops! This was wrong. > > > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt > > > > > > That's Samba for you. I applied your patch and created a file > > > on my share, and the Authenticated Users group was not in the > > > resulting ACL. Only user, group, and Everyone. > > > > > > Either way, I don't think this is the right thing to do. Even if > > > the group isn't added to the ACL on my machine, it still loks like > > > a security problem in waiting. > > > > Isn't this DACL here used only for access_check() (NtAccessCheck())? > > In my environment, the Authenticated Users does not appear in the ACL > > too. > > Oh, yeah, right, *blush*. > > But it's still not the right thing to do. You convert the Samba ACL > to a Windows ACL which gives Authenticated Users full permissions. > So the check_access() function will return false positives, because > every authenticated user is in the Authenticated Users group and has > supposedly FILE_ALL_ACCESS. Even if the actual function (read, write, > execute) will fail, the access() function will claim that every > authenticated user has RWX perms. Ah, right. I have just confirmed that behaviour... > AFAICS, the underlying problem is somehow the user mapping. Did you > try with username map = /foo/bar? Yes. However, my user name is 'yano' both in server (Linux) and client (Windows 10) side. So, I think there is no effect of 'username map'. -- Takashi Yano -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple